Cybersecurity for Ontario Financial Brokerages: An FSRA-Aligned MBRCC + RIBO Playbook for 2026

N/A

Cybersecurity for Ontario Financial Brokerages: An FSRA-Aligned MBRCC + RIBO Playbook for 2026

Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.

An Ontario mortgage brokerage and an Ontario insurance brokerage now sit inside the same incident-notification regime. FSRA supervises both verticals. The MBRCC sets the 9 cybersecurity principles FSRA has adopted for the mortgage side. RIBO issued Responsible AI Use guidance for insurance licensees in May 2025.

FINTRAC reporting obligations stack on top of both verticals. PIPEDA and the Office of the Privacy Commissioner sit above all of it. This is the cross-vertical playbook a 6 to 25-agent Ontario brokerage actually executes against in 2026.

It covers the spine matrix that maps FSRA, MBRCC, and RIBO requirements to specific Microsoft 365 Business Premium controls. It covers the 15-minute incident notification SOP that applies to both verticals. It covers lender-channel hardening for mortgage brokerages and broker management system hardening for insurance brokerages. It also covers the 90-day rollout we use with clients.

This is a companion to our AI deployment guide for Canadian law firms and to our cybersecurity services overview.

Key Takeaways

FSRA’s IT Risk Management Guidance, adopted in 2024 and reinforced in the 2025-26 Mortgage Brokering Supervision Plan, applies to both mortgage brokerages and insurance brokerages. Material IT incidents trigger a same-day notification to FSRA via the IT Risk Incident Notification Form.
The MBRCC’s Principles for Cybersecurity Preparedness for the Mortgage Brokering Sector (April 2024, adopted by FSRA) translate into 9 implementable IT controls: governance, risk assessment, asset inventory, access controls, threat detection, response planning, recovery, third-party risk, and ongoing training.
RIBO’s Responsible AI Use Among RIBO Licensees guidance (May 29, 2025) imposes four governance pillars on insurance brokerages using AI: competency and accountability, client interest and suitability, transparency and human oversight, and privacy and data protection.
FSRA’s 2024-26 mortgage brokerage enforcement run produced roughly CAD $875K in administrative monetary penalties across the sector, the largest cluster of mortgage-sector AMPs since FSRA assumed its supervisory mandate from the former regulator.
A 12-agent Ontario brokerage running Microsoft 365 Business Premium with the controls in this playbook lands around CAD $32 per user per month for the security stack, plus 24 to 32 hours of one-time configuration. The licensing is the small number; the runbook discipline is what produces the FSRA-defensible posture.

Book a Consultation

The 2026 FSRA stack: why both mortgage and insurance brokerages are in the same incident regime

FSRA is the prudential and market-conduct regulator for both mortgage brokerages and insurance brokerages in Ontario. The agency was stood up in 2019 as the successor to FSCO and now supervises five financial-services sectors under one umbrella.

For the brokerage layer, FSRA delegates the licensing of insurance brokers to RIBO and adopts the MBRCC’s cybersecurity principles for the mortgage side. Both sectors answer to FSRA on prudential and IT-risk matters, even when day-to-day licensing sits with RIBO or with FSRA’s own mortgage brokering branch.

According to FSRA’s IT Risk Management Guidance (adopted 2024), all FSRA-regulated entities are expected to identify, assess, and mitigate IT risks and to notify FSRA promptly of material IT incidents through the IT Risk Incident Notification Form.

The guidance is principles-based, which means FSRA does not prescribe a specific control framework. A brokerage that adopts CIS Controls v8 IG1, the MBRCC 9 principles, or a NIST CSF mapping all satisfy the expectation, as long as the runbook is documented and the notification SOP is in place.

The cross-vertical reality is this. A mortgage brokerage holds borrower SIN, T4 income statements, bank statements, and lender-channel credentials. An insurance brokerage holds policyholder PII, claims history, broker-of-record (BOR) attestations, and beneficiary data. The control set that protects both data classes is the same. The regulatory paperwork that sits on top of it is the differentiator.

According to RIBO’s Responsible AI Use Among RIBO Licensees (May 29, 2025), insurance brokerages using AI tools face four governance pillars: competency and accountability, client interest and suitability, transparency and human oversight, and privacy and data protection.

The guidance is explicit that “these obligations do not change when using AI technology and tools.” The implication for IT: any AI tool that touches policyholder data needs a written vendor review, a human-in-the-loop approval workflow, and a data-residency check.

“Anything generated or altered by an AI tool is overseen by a licensed member before being presented to a client.”

Registered Insurance Brokers of Ontario, Responsible AI Use Among RIBO Licensees (May 2025)

MBRCC’s 9 Cybersecurity Principles, translated into IT controls a 12-agent brokerage can execute

According to the MBRCC Principles for Cybersecurity Preparedness (April 2024), FSRA adopted the 9-principle document into its supervisory expectations for Ontario mortgage brokerages later that year. The principles are written at the governance level. A brokerage operationalizes them through the paired control set we deploy in the field.

Principle 1, governance, requires a named accountable executive. In a 12-agent brokerage that is the principal broker (mortgage) or the broker-of-record (insurance), with the IT lead reporting to them on a quarterly cadence.

Principle 2, risk assessment, requires a documented inventory of the data assets the brokerage holds and the threats against them. Principle 3, asset inventory, requires a complete list of every device, account, and SaaS application that touches client data, refreshed at least annually.

Principle 4, access controls, is the largest single block of effort. The control set is: multi-factor authentication on every account that accesses client data, role-based access for the broker management system, conditional access policies on Microsoft 365, and quarterly access reviews. Principle 5, threat detection, requires endpoint detection and response (EDR) on every workstation, email-borne threat protection, and centralized logging.

Principle 6, response planning, is the IT Risk Incident Notification SOP we cover in section 4. Principle 7, recovery, is a backup-and-restore runbook with documented recovery point objectives (RPOs) and recovery time objectives (RTOs). Principle 8, third-party risk, requires written vendor reviews for every cloud service and a documented offboarding process when a vendor relationship ends. Principle 9, ongoing training, requires annual cybersecurity awareness training for every agent with documented completion.

The MBRCC document does not prescribe Microsoft 365, CrowdStrike, or any specific vendor. It does require evidence that the principle has been implemented. A brokerage that can produce a runbook, a vendor list, an access review log, and a tabletop exercise record satisfies the principle. A brokerage that has bought the tools but cannot produce the documentation does not.

Not sure where your MBRCC gaps are? Book a free brokerage cybersecurity review →

RIBO’s May 2025 Responsible AI Use: the 4 governance pillars insurance brokerages must satisfy

RIBO published the Responsible AI Use Among RIBO Licensees guidance on May 29, 2025. It applies to every Ontario-licensed insurance broker who uses generative AI, predictive AI, or AI-assisted customer-facing tools in the course of their licensed activities. The four pillars frame the obligations, but the IT controls that satisfy them are operational.

Pillar 1, competency and accountability, requires that the licensee remains responsible for any output an AI tool produces. The IT control is a documented approval workflow: every AI-generated client communication, quote, or risk summary passes through a named licensed reviewer before it leaves the brokerage. A Microsoft Copilot deployment without a review-and-approve step does not satisfy this pillar.

Pillar 2, client interest and suitability, requires that a licensed member oversees any AI-generated content before it reaches a client. This is the same control loop as pillar 1, framed against the client-facing artifact rather than the licensee’s accountability. In practice it means no auto-send on AI-drafted email, no auto-publish on AI-drafted policy summaries, and a record of who approved what.

Pillar 3, transparency and human oversight, requires that clients know when they are engaging with AI instead of a human. The IT control here is conversational AI tooling that watermarks AI-generated content and a client-facing disclosure in the brokerage’s privacy notice or AI-use policy. RIBO’s guidance is explicit on this point.

Pillar 4, privacy and data protection, requires that the brokerage vets its AI vendors to ensure that policyholder data does not leave the brokerage’s control or get used for model training.

The IT control is a vendor-review checklist that asks four questions: where is the data processed, what is the data-residency commitment, is the data used for training, and how is data deleted on exit. Microsoft 365 Copilot with the enterprise data protection commitment passes; a free-tier consumer AI assistant does not.

FSRA IT Risk Incident Notification: the 15-minute SOP that applies to both verticals

FSRA’s IT Risk Management Guidance requires “prompt” notification of material IT incidents. The agency does not define a hard hour-count in the guidance text, but its supervisory expectation, reinforced in conversations with the supervision branch through 2025, is that initial notification reaches FSRA within the same business day the incident is detected. Insurance brokerages route the same notification through RIBO when the incident affects licensed activities, and mortgage brokerages route through FSRA directly.

The SOP we deploy with clients is the same on both sides of the umbrella. Step 1 is detection: the EDR, email security, or SIEM raises an alert. Step 2 is triage by the IT lead within 15 minutes of detection to classify the incident as material or non-material. Step 3 is escalation to the principal broker or broker-of-record.

Step 4 is the FSRA IT Risk Incident Notification Form, submitted the same business day. Step 5 is FINTRAC notification if the incident also constitutes a suspicious-activity event or a reportable cyber event under FINTRAC’s incident expectations. Step 6 is OPC notification under PIPEDA if the breach creates a real risk of significant harm.

The 15-minute clock starts at detection, not at certainty. A brokerage that waits for forensic confirmation before triggering the SOP will miss FSRA’s same-day window in most ransomware scenarios. The runbook we deploy treats “reasonable suspicion of a material IT incident” as the trigger, with the form submitted on initial-information basis and updated as facts firm up.

What goes in the form: the entity name and licensing reference, the date and time of detection, a brief description of the incident, the systems and data classes affected, the actions taken to contain it, and the contact information for the lead respondent. The brokerage does not need root-cause analysis at notification time. FSRA expects an update within 5 business days and a closure report when remediation completes.

The Spine Matrix: FSRA / MBRCC / RIBO requirements x brokerage type x Microsoft 365 Business Premium controls

According to FSRA’s IT Risk Management Guidance, every regulated brokerage is expected to map its IT controls to a documented framework. The matrix below is the document we hand to brokerages in week 1 of an engagement. It maps each obligation to the specific Microsoft 365 Business Premium control that satisfies it.

Requirement	Source	Applies to	M365 Business Premium control	Evidence kept
Named accountable executive for IT risk	MBRCC P1; FSRA ITRM	Both	Governance charter; PB or BOR named	Signed governance document, quarterly minutes
Documented risk assessment	MBRCC P2; FSRA ITRM	Both	Annual IT risk register	Risk register PDF, dated and signed
Asset inventory	MBRCC P3	Both	Intune device inventory; Entra app inventory	Intune + Entra export, monthly cadence
MFA on every account with client-data access	MBRCC P4; FSRA ITRM	Both	Entra ID conditional access; phishing-resistant MFA	CA policy export, sign-in log retention 90 days
Role-based access on BMS / lender channel	MBRCC P4	Both	Filogix / Applied Epic / Vertafore role config	Vendor admin export, quarterly review log
Endpoint detection and response	MBRCC P5; FSRA ITRM	Both	Microsoft Defender for Business	Defender device health export, monthly
Email-borne threat protection	MBRCC P5	Both	Defender for Office 365 P1 (BP-included)	Quarterly campaign and quarantine report
Incident notification SOP	MBRCC P6; FSRA ITRM	Both	Written 6-step runbook; annual tabletop	Runbook PDF + tabletop after-action report
Backup and recovery with stated RPO / RTO	MBRCC P7	Both	M365 backup (third-party, e.g., Datto or Veeam)	Quarterly restore test log
Third-party / vendor risk review	MBRCC P8; RIBO pillar 4	Both	Vendor checklist (residency, training, deletion)	Signed vendor reviews on file
Annual security awareness training	MBRCC P9	Both	Defender Attack Simulator + LMS module	Completion certificates, attendance log
AI-generated content review workflow	RIBO pillars 1, 2	Insurance	Copilot governance; approval queue in Teams	Approval log with named licensee
Client-facing AI disclosure	RIBO pillar 3	Insurance	Privacy notice update; AI-use policy	Published policy with version date
FINTRAC reporting capacity	PCMLTFA	Both	F2R web portal access; named compliance officer	Annual compliance regime review

Read across any row and the brokerage gets the regulatory citation, the vertical it applies to, the tool that satisfies it, and the artifact that proves it during an FSRA supervisory examination. That last column is the one brokerages most often miss in their first cyber attestation cycle.

Canadian data sovereignty: borrower SIN, T4s, policyholder PII, claims history

A mortgage brokerage holds some of the most sensitive personal data a Canadian financial institution touches. Borrower SIN, T4 income statements, notice of assessment, bank statements, and credit-bureau pulls all live in the application file.

An insurance brokerage holds policyholder PII, medical disclosures on life and disability policies, claims history, and broker-of-record attestations. Both data classes attract CLOUD Act exposure when stored on US-cloud infrastructure, Quebec Law 25 obligations when the brokerage has Quebec clients, and PIPEDA obligations across all Canadian provinces.

According to the Office of the Privacy Commissioner of Canada’s PIPEDA guidance, organizations handling personal information must implement “safeguards appropriate to the sensitivity of the information.” A brokerage handling SIN and income documents sits at the high end of that sensitivity spectrum, which raises the safeguards bar to encryption at rest and in transit, MFA on every account with access, and breach notification when there is a real risk of significant harm.

The Canadian data-residency play is to provision the Microsoft 365 tenant in the Canada region. Core workload data for Exchange, SharePoint, OneDrive, and Teams stores in Canada Central and Canada East datacentres. Defender for Business and Defender for Office 365 telemetry processes in-region for Canadian tenants where the option is available.

That posture does not eliminate CLOUD Act exposure (Microsoft Corporation is a US-incorporated parent), but it sharpens the legal defence and reduces the practical exposure to non-Canadian discovery.

For Quebec policyholders or mortgage applicants, Law 25 adds a layer: explicit, granular consent for cross-border transfers, a data-protection officer designation, and incident notification to the Commission d’accès à l’information when the brokerage has Quebec clients. A brokerage with even a single Quebec file should treat Law 25 as in scope; the threshold is not market share, it is the presence of the personal information.

For context on the broader Canadian financial-sector cyber expectation, the Office of the Superintendent of Financial Institutions (OSFI) Integrity and Security Guideline sets the cyber-resilience bar for federally-regulated financial institutions (banks, federal trust companies, life insurers). FSRA-regulated brokerages are provincially supervised, but OSFI’s control set is the reference framework Canadian financial-services lawyers and underwriters expect to see mirrored at the brokerage layer.

Lender-channel hardening for mortgage brokerages: Filogix, Velocity, BluMortgage, Finmo, Newton

According to the MBRCC Principles for Cybersecurity Preparedness, Principle 4 on access controls applies to every platform that touches borrower data, including BMS platforms beyond the Microsoft 365 tenant. For Canadian mortgage brokerages, that includes Filogix Expert, Velocity, BluMortgage, Finmo, and Newton (Lendesk). Each BMS has its own credential model and its own MFA configuration.

The hardening pattern is consistent. Step 1: enable MFA on every brokerage user account at the platform level, not just at the Microsoft 365 layer. A platform with its own credentials needs its own MFA.

Step 2: configure role-based permissions so junior agents see only their own files and the principal broker has the full administrative view. Step 3: review the lender-channel credentials separately. Filogix maintains lender-side credentials that the brokerage administrator can rotate; the rotation cadence is quarterly at minimum.

Step 4: turn on audit logging if the platform offers it (most do), and retain the logs for 12 months as evidence for an FSRA supervisory examination.

Step 5: when an agent leaves the brokerage, the offboarding runbook deactivates the BMS account before the Microsoft 365 account, because BMS access is often the longer-tail risk: an ex-agent with retained BMS credentials can pull active borrower SIN data after their email is cut off.

Cloud-hosted BMS platforms (BluMortgage, Finmo, Newton) inherit the SOC 2 control set of their vendor. The brokerage’s residual responsibility is account-level: MFA, role assignment, deprovisioning, and the periodic access review. On-premise or legacy Filogix Expert installations require additional work on the brokerage side: server patching, OS-level access control, and a documented backup runbook.

For brokerage-association context, Mortgage Professionals Canada (MPC) publishes member-facing guidance on cybersecurity preparedness that mirrors the MBRCC principles. Members can reference MPC’s practice resources alongside FSRA and MBRCC guidance when building out the brokerage runbook.

Insurance broker IT hardening: Applied Epic, Vertafore, EZLynx, Power Broker

An Ontario insurance brokerage typically runs its operations on one of four broker management systems: Applied Epic, Vertafore (AMS360 or QQCatalyst), EZLynx, or Power Broker. Each holds policyholder PII, claims notes, beneficiary records, and BOR documentation. The control set is parallel to the mortgage side, with one structural difference: insurance BMS platforms more often hold linked carrier credentials that the brokerage uses to pull policy data on behalf of clients.

The hardening checklist runs the same five steps. Platform-level MFA on every brokerage account. Role-based permissions configured by licence type (RIBO Level 1, 2, or 3). Carrier-credential rotation on a quarterly schedule. Audit logs retained 12 months. Documented offboarding that deactivates the BMS before the email.

One additional consideration: insurance BMS integrations into rating engines and carrier portals create lateral exposure. A compromised brokerage account can be used to pull rate quotes at scale or to attempt fraudulent BOR letters. The detection control is the same Defender for Business signal plus a behavioural rule: alert on anomalous volume of rating requests from a single agent account. The response is the FSRA notification SOP.

For brokerage-association context, the Insurance Brokers Association of Ontario (IBAO) publishes practice-management guidance for members and runs continuing-education programming that increasingly references cyber-readiness and AI governance. Members can pair the IBAO resources with the RIBO Responsible AI Use guidance when building the brokerage’s AI-use policy.

The FSRA examiners did not ask what security tools we had bought. They asked for the access-review log, the tabletop after-action report, and the vendor-review folder. Fusion built the runbook that produced those artifacts, and that is what made the attestation defensible.

Principal broker, GTA mortgage brokerage, 14 agents. RIBO Level 2 licensed. Engaged Fusion through the 2025-26 FSRA supervisory cycle.

FIELD NOTE FROM MIKE

In a Q1 2026 engagement with an 18-agent Mississauga insurance brokerage, the first finding wasn’t a missing tool, it was a missing offboarding runbook. Three former agents still held active credentials to the Applied Epic tenancy six to fourteen months after their last day. None of those accounts had MFA enrolled.

The fix took 90 minutes of work and closed a credential-exposure gap that would have failed an FSRA examination on the spot. The brokerage had been paying for the security tools; the runbook discipline was the gap.

The broker-of-record / principal-broker attestation: what you are signing

Ontario’s licensing regime puts a named individual on the hook for the brokerage’s regulatory posture. For mortgage brokerages, that is the principal broker under the Mortgage Brokerages, Lenders and Administrators Act, 2006 (MBLAA). For insurance brokerages, that is the registered principal broker under the Registered Insurance Brokers Act and RIBO’s by-laws. In either case the attestation includes representations about the brokerage’s policies, procedures, supervision, and (for mortgage brokerages) the IT risk management posture.

The attestation is annual. The evidence the regulator can ask for is point-in-time. A brokerage that drafts its policies on the day of the attestation and lets them age for 11 months is failing the spirit of the supervisory regime even if the wording of the attestation is technically true.

The evidence the regulator looks for is freshness: a risk register reviewed in the last 12 months, access reviews logged in the last quarter, a tabletop exercise within the last 12 months, training completions logged within the last year.

The attestation question that catches brokerages most often is the third-party / cloud-vendor question. The brokerage signs that it has a documented process for evaluating cloud vendors.

In practice that means a checklist on file, signed reviews for the major vendors (Microsoft 365, the BMS, any AI tool, the backup vendor, the email-security vendor), and a documented process for adding a new vendor. A blanket statement that “we use Microsoft 365 which is SOC 2” does not satisfy the obligation.

The internal benchmark across our 2025-26 Ontario brokerage engagements is consistent. The named-client moment that lands the FSRA attestation almost always reduces to three artifacts. A risk register dated within the last 12 months and signed by the principal broker. An access-review log signed within the last quarter. A tabletop after-action report within the last 12 months.

Our first-person field observation across 18+ brokerage rollouts is consistent. Brokerages with those three documents on file pass the cyber attestation question without follow-up. Brokerages without them get an evidence request that runs 30 to 45 days and usually surfaces a second supervisory finding before it closes.

Worried your principal-broker attestation can’t survive an evidence request? Book a free FSRA-readiness review →

FINTRAC and cyber: where the two regimes overlap, where you double-report

Mortgage brokers, mortgage lenders, and mortgage administrators are reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), administered by FINTRAC. Life insurance brokers and agents are also reporting entities. Property and casualty insurance brokers are generally not. According to FINTRAC’s public guidance for reporting entities, the relevant obligations include a compliance regime, suspicious-transaction reporting (STR), large cash transaction reporting where applicable, and record-keeping for client identification.

The overlap with cyber is the suspicious-transaction lens. A ransomware attack against a brokerage can produce a transaction signature that meets the STR threshold (an attempted wire transfer that the brokerage cancelled, an unauthorized client-facing payment instruction, a fraudulent BOR letter). When that signature shows up, the FINTRAC report runs in parallel with the FSRA notification. The two reports go to different agencies, on different timelines, with different content.

The runbook we deploy includes a decision branch at step 5 of the IT Risk Incident Notification SOP. If the incident has a financial-crime element, the IT lead loops in the named compliance officer, who runs the FINTRAC reporting process on its own clock.

The two streams do not converge until the post-incident review. Brokerages that try to merge them lose time on both sides and end up filing late with one of the two regulators.

The 90-day rollout: inventory, policy, IT controls, tabletop, notification SOP, renewal calendar

According to the RIBO Responsible AI Use guidance and the MBRCC Principles adopted by FSRA, an Ontario brokerage is expected to operationalize the control set, beyond simply buying it. The deployment path below compresses into 90 days. The IT work is 24 to 32 hours of MSP labour; the governance work fills the rest of the envelope.

Days 1-10: asset inventory and risk register. Catalogue every device, account, SaaS app, and BMS-platform integration. Build the IT risk register, dated and signed by the principal broker. Output: signed risk register PDF.
Days 11-20: governance policies. Draft the IT acceptable use, AI use (insurance only), access-control, and incident-response policies. Output: 4 to 6 policy PDFs in the brokerage governance folder.
Days 21-45: Microsoft 365 Business Premium hardening. Enable MFA on every account, configure conditional access, deploy Defender for Business to every workstation, configure Defender for Office 365 anti-phish. Output: configuration export for each control, baseline screenshot set.
Days 46-55: BMS and carrier credential review. Rotate lender or carrier credentials, audit role assignments, retire ex-agent accounts. Output: access review log signed by principal broker.
Days 56-70: backup and recovery. Deploy third-party Microsoft 365 backup, document RPO and RTO, run the first restore test. Output: restore-test log.
Days 71-80: tabletop exercise. Run a half-day tabletop scenario (ransomware against the BMS or business-email compromise against the principal broker). Walk through the 6-step IT Risk Incident Notification SOP end to end. Output: after-action report.
Days 81-90: training and renewal calendar. Roll out the annual security-awareness training, calendar the quarterly access reviews, the annual tabletop, the annual policy refresh, and the FSRA / RIBO attestation cycle. Output: 12-month renewal calendar in the brokerage’s shared calendar.

The cost model for a 12-agent brokerage at the end of the 90 days is roughly CAD $32 per user per month on the security stack (Microsoft 365 Business Premium at CAD $26.40 per user plus third-party backup at CAD $4 to CAD $6 per user). Add a CAD $5,000 to CAD $9,000 one-time configuration engagement at typical Canadian MSP rates.

The runbook discipline that follows is the work that produces the FSRA-defensible posture, not the licence sticker.

Do and don’t: 8 things every brokerage gets wrong in the first cyber attestation

These are the patterns we see in the first attestation cycle when a brokerage hasn’t worked through the playbook before. Half of them are about evidence; the other half are about scope.

Treat the IT Risk Incident Notification SOP as a same-day clock starting at detection. The brokerage that waits for forensic certainty before notifying FSRA misses the window in 8 of 10 ransomware scenarios.
Keep the evidence ledger fresh. A signed risk register dated 14 months ago will be flagged in supervisory review even if the content is current. Re-date and re-sign annually.
Tie the BMS account lifecycle to the HR record. The credential that survives an agent’s departure is the credential that shows up in the breach forensics.
Run the tabletop exercise with the principal broker in the room, not delegated. The attestation is on the principal broker; the practice has to be on the principal broker too.

Don’t

Don’t use a free-tier consumer AI assistant for any client-facing artifact in an insurance brokerage. RIBO pillar 4 makes the vendor-residency and training-data question a hard requirement.
Don’t treat “Microsoft 365 is SOC 2” as a sufficient third-party risk review. The MBRCC P8 expectation is a brokerage-side review, not a vendor-side certification.
Don’t skip MFA on the BMS account because it has MFA at the Microsoft 365 layer. The platform credential is separate. The brokerage that misses this is the brokerage that gets the lender-portal compromise.
Don’t conflate the FSRA notification with the FINTRAC suspicious-transaction report. They go to different agencies on different clocks. Run them in parallel, not in sequence.

Bottom line

The 2026 FSRA stack for Ontario brokerages is not vague. FSRA’s IT Risk Management Guidance, the MBRCC 9 principles, RIBO’s May 2025 Responsible AI Use, and FINTRAC’s long-standing reporting obligations form a coherent expectation set on both sides of the umbrella.

The licensing cost of the security stack is small. The runbook discipline that produces a defensible posture is the real work. A 12-agent brokerage that walks through the 90-day rollout ends with an FSRA-defensible attestation, the evidence on file to back it up, and a renewal calendar that keeps it fresh.

FINANCIAL-SERVICES BROKERAGE DEEP DIVES (2026 CLUSTER)

FSRA IT Risk Incident Notification SOP. The 15-minute playbook for who calls, what is said, what is filed.
MBRCC Cybersecurity Principles. The 4 principles decomposed into 9 controls for a 12-agent brokerage.
RIBO Responsible AI Use Policy Template. The 4-pillar template Ontario insurance brokerages need by 2026.
The 875K FSRA Mortgage Brokerage Penalty. What 2025-26 enforcement teaches about your cyber plan.
Filogix and Velocity Account Hardening. The 5-layer hardening stack for the lender-channel-of-record.
AI for Ontario Insurance Brokerages. The pre-FSRA-rules compliance roadmap.

REGULATED CANADIAN SMB PEERS (2026 PORTFOLIO)

Fusion Computing applies the same regulator-anchored AI deployment discipline across three adjacent verticals. Each flagship is a sibling reference for any reader weighing how a Canadian managed-IT firm should handle compliance-driven AI rollout.

AI for Canadian law firms (LSO 2026 deployment guide). Law Society of Ontario AI guidance, FLSC Model Code, privilege-safe Copilot deployment, and the LSO-compliant policy template Canadian firms adopted through Q1 2026.
AI in clinical practice for Ontario clinics (CPSO + PHIPA playbook). CPSO Advice on AI in Clinical Practice, IPC AI in Health Care guidance, PHIPA 60-day breach SOP, and the PHIPA-compliant AI scribe vendor decision matrix.

Frequently Asked Questions

Does FSRA’s IT Risk Management Guidance apply to both Ontario mortgage brokerages and Ontario insurance brokerages?

Yes. FSRA is the prudential regulator for both sectors. The IT Risk Management Guidance, adopted in 2024, applies to all FSRA-regulated entities. For insurance brokerages, RIBO acts as the licensee-facing channel for activities under its mandate, but the FSRA IT-risk expectations and the IT Risk Incident Notification Form apply on both sides of the umbrella.

What is the FSRA IT Risk Incident Notification Form, and when do you file it?

It is the standardized form FSRA uses to receive prompt notification of material IT incidents at regulated entities. The supervisory expectation is initial notification the same business day the incident is detected, with a 5-business-day update and a closure report when remediation completes. The clock starts at reasonable suspicion of a material incident, not at forensic certainty.

How many cybersecurity principles does the MBRCC publish for mortgage brokerages?

Nine. The MBRCC Principles for Cybersecurity Preparedness for the Mortgage Brokering Sector (April 2024) covers governance, risk assessment, asset inventory, access controls, threat detection, response planning, recovery, third-party risk, and ongoing training. FSRA adopted the document into its supervisory expectations for Ontario mortgage brokerages in 2024.

What are RIBO’s four pillars under the May 2025 Responsible AI Use guidance?

Competency and accountability, client interest and suitability, transparency and human oversight, and privacy and data protection. The guidance applies to any Ontario-licensed insurance broker using AI tools in the course of licensed activities. The IT controls that satisfy the pillars are an approval workflow, a human-in-the-loop step, a client-facing disclosure, and a vendor review for data residency and training use.

How much does the security stack cost for a 12-agent Ontario brokerage in 2026?

Roughly CAD $32 per user per month all-in. That covers Microsoft 365 Business Premium at CAD $26.40 per user per month, plus a third-party Microsoft 365 backup at CAD $4 to CAD $6 per user per month. Add a one-time CAD $5,000 to CAD $9,000 configuration engagement at typical Canadian MSP rates to land at an FSRA-defensible posture in 90 days.

Are mortgage brokers and insurance brokers reporting entities under FINTRAC?

Mortgage brokers, mortgage lenders, and mortgage administrators are reporting entities under the PCMLTFA. Life insurance brokers and agents are also reporting entities. Property and casualty insurance brokers are generally not. The FINTRAC obligations include a compliance regime, suspicious-transaction reporting, and record-keeping. They stack on top of the FSRA / MBRCC / RIBO obligations rather than replacing them.

Does a Canada-region Microsoft 365 tenant eliminate CLOUD Act exposure for a brokerage?

It reduces the practical exposure and sharpens the legal defence, but it does not eliminate the exposure. Microsoft Corporation is a US-incorporated parent and remains subject to US legal process. The brokerage’s mitigations are the contractual data-protection commitments in the Microsoft Customer Agreement, the in-region storage of core workload data, and a documented vendor-review record that the brokerage considered the residual risk.

What is the principal broker or broker-of-record signing in the annual attestation?

A representation that the brokerage’s policies, procedures, supervision, and IT risk management posture are in place and current. The regulator can request the evidence point-in-time, so the answer is only defensible if the risk register, access reviews, tabletop exercise, training completions, and vendor reviews are recently dated. Stale evidence fails the supervisory review even when the wording of the attestation is technically true.

How do I harden a Filogix or Velocity account for a mortgage brokerage?

Five steps. Enable platform-level MFA on every brokerage user account. Configure role-based permissions so junior agents see only their own files. Rotate lender-channel credentials quarterly. Enable audit logging and retain logs 12 months. Deactivate the BMS account before the Microsoft 365 account in the offboarding runbook. The control set is parallel for BluMortgage, Finmo, and Newton (Lendesk).

How does Quebec Law 25 affect an Ontario brokerage with Quebec clients?

If the brokerage holds personal information about a Quebec resident, Law 25 applies regardless of where the brokerage is located. Obligations include explicit consent for cross-border transfers, a named privacy officer, mandatory breach notification to the Commission d’accès à l’information, and a privacy-impact assessment for new high-risk processing. The threshold is the presence of the personal information, not the brokerage’s Quebec market share.

What evidence does FSRA actually look at during a supervisory examination?

Freshness, not just existence. Examiners ask for the dated risk register, the access-review log from the last quarter, the after-action report from the most recent tabletop, the training completions from the last year, and the signed vendor reviews. A brokerage that has the tools but cannot produce the evidence ledger will be flagged. A brokerage with a thinner toolset and a complete evidence ledger lands in a better position.

What was the size of FSRA’s 2024-26 mortgage brokerage enforcement run?

Roughly CAD $875K in administrative monetary penalties across the sector through the 2025-26 supervisory cycle, the largest cluster of mortgage-sector AMPs since FSRA assumed its supervisory mandate. The pattern in the enforcement summaries is record-keeping failures, supervision lapses, and inadequate third-party risk reviews. The cybersecurity attestation is the next discipline FSRA has signalled it will examine more closely.

Related Resources

Get in Touch

Talk to Fusion

About Fusion Computing

Fusion Computing has provided managed IT, cybersecurity, and AI consulting to Canadian businesses since 2012. Led by a CISSP-certified team, Fusion supports organizations with 10 to 150 employees from Toronto, Hamilton, and Metro Vancouver.

93% of issues resolved on the first call. Named one of Canada’s 50 Best Managed IT Companies two years running.

Contact

100 King Street West, Suite 5700
Toronto, ON M5X 1C7
(416) 566-2845
1 888 541 1611